The U.S. Department of the Treasury on October 20, 2022, issued its first-ever Committee on Foreign Investment in the United States (CFIUS) Enforcement and Penalty Guidelines. Publishing of the Guidelines reinforces recent CFIUS statements about the need for CFIUS penalties to ensure compliance with CFIUS statutory and regulatory requirements and strongly suggests that CFIUS is likely to begin taking enforcement actions in the coming months. Assistant Secretary of the Treasury for Investment Security Paul Rosen stated that the Guidelines “[send] a clear message:  Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”

Increased Enforcement (Including Financial Penalties) Likely on the Horizon

The passage of the Foreign Risk Review Modernization Act of 2018 (FIRRMA) allowed CFIUS to stand-up a robust Enforcement and Mitigation Division that is actively reaching out to U.S. businesses on non-notified transactions and monitoring CFIUS mitigation agreements for compliance.

In recent years, however, only two CFIUS enforcement actions have resulted in penalties: a $750,000 penalty was imposed in 2019 for failure to restrict and adequately monitor access to protected data defined in the interim CFIUS order, and a $1 million penalty was levied in 2018 for repeated breaches of a 2016 mitigation agreement, failure to establish required security policies, and failure to provide adequate reports to CFIUS.

Depending upon the seriousness and frequency of the violation, potential penalties and other remedial measures mentioned in 31 CFR § 800.901 and 31 CFR § 800.902 include: civil penalties not to exceed $250,000 or, in certain cases, up to the value of the transaction, whichever is higher, a drafting of a plan of action or new/amended CFIUS mitigation agreement (with failure to comply with plan of action being grounds for a new penalty), and the possibility of CFIUS initiating a new review of certain transactions.  The new Guidelines will apply to enforcement in the context of these provisions, as well as the enforcement provisions of 31 CFR parts 801 and 802.

Types of Conduct That May Constitute a Violation

The Guidelines identify three types of conduct that may constitute a violation, as follows:

• Material misstatements or omissions in filings with CFIUS, or false or materially incomplete certifications delivered to CFIUS;
• Failure to file a Mandatory Declaration or Notice; and
• Non-compliance with CFIUS mitigation agreements, conditions, or orders.

Four Step Penalty Process

In the event that CFIUS decides a penalty is warranted, the new Guidelines contemplate a four-step process, as follows:

Step 1: CFIUS sends written notice of penalty to the alleged violator (a company or an individual), including a description of the conduct to be penalized, the legal reasons why a penalty is being sought and the amount of the financial penalty, and may include aggravating and mitigating factors CFIUS considered in reaching its penalty decision.

Step 2: The recipient has 15 business days (unless extended by Treasury) to submit a written petition for reconsideration, which may include evidence in defense, justification, mitigating factors, and/or explanatory information.

Step 3: If no written response is filed, CFIUS ordinarily will issue a final penalty (likely to be the same as proposed in the notice of penalty).  If a written response is received, CFIUS will consider the written submission before making a final decision within 15 business days (subject to extension by agreement with CFIUS).  It is possible, but not clearly signaled in the Guidelines, that at this stage there may be negotiations with CFIUS over penalty terms and conditions.

Step 4: CFIUS issues its final written penalty determination.  Given the considerable deference typically granted to CFIUS and other national security agency decisions by U.S. courts, lawsuits challenging CFIUS decisions are rare.

The timeframes contemplated by the Guidelines come as no surprise, as they essentially mirror the timeframes set out in the regulations.

Aggravating and Mitigating Factor Considerations

The Guidelines lay out factors that CFIUS may consider as aggravating or mitigating, but emphasize that the list is non-exhaustive and that factors relevant to one case may not be relevant to another.  The Guidelines categorized the various factors as follows:

• Accountability and Future Compliance: this factor attempts to balance the need to hold violators accountable with the need to incentivize compliance and cooperation (self-reporting is evaluated as part of this factor);
• Harm: the degree of harm to U.S. national security because of the violation;
• Negligence, Awareness, and Intent: an evaluation of the role of simple negligence, gross negligence, intentional action, or willfulness that led to the violation, along with any efforts to conceal or delay, and the seniority of the personnel in an entity who knew or should have known of the conduct;
• Persistence and Timing: frequency and duration of conduct, and how long it took to report the violation to CFIUS; the length of time between a CFIUS mitigation agreement beginning and occurrence of a violation of the agreement; and, in the case of a failure to file, the date the transaction occurred;
• Response and Remediation: was there self-disclosure and how timely and complete was the disclosure; did the company cooperate with CFIUS by providing timely and detailed information; was there complete remediation; and did the company perform a detailed internal review of the violation to prevent future violations; and
• Sophistication and Record of Compliance: an evaluation of history and familiarity with CFIUS and record of compliance in previous/ongoing CFIUS cases; whether the violator has adequate internal and external compliance resources (including legal counsel, consultants, auditors and monitors); whether there are adequate policies and procedures in place and whether they are communicated and complied with across the business; whether there is a general culture of compliance within the company; and whether the CFIUS security officer (if applicable) had appropriate authority, access, and independence.

None of these factors are surprising – in fact, most are already commonly in use by CFIUS and other federal agencies (such as the export control agencies and the Office of Foreign Assets Control).

Common Ways CFIUS Discovers Violations

The Guidelines make clear that CFIUS “strongly encourages” the filing of timely self-disclosures of conduct that may constitute a violation – and, as noted above, a timely and detailed voluntary disclosure may be weighed by CFIUS as a mitigating factor in reaching a decision on whether to impose a penalty and if so, the appropriate amount for the penalty.

Significantly, however, it should be noted that CFIUS enjoys a number of other means of obtaining information about violations, including:

• tips from the public, Members of Congress, media, and public interest groups (CFIUS has a Tips Line on its website for public citizen comment);
• during ongoing reviews by CFIUS concerning a company’s mitigation agreement compliance, including answers and information provided by a company to CFIUS;
• third-party audits and third-party monitor reports (particularly relevant for mitigation agreements with third-party oversight requirements);
• federal and state agency reports to CFIUS, such as FBI and other intelligence agency reports (reports may come from both CFIUS members agencies and non-CFIUS member agencies);
• transaction and filing parties;
• publicly available information; and
• from responses to exercise of CFIUS subpoena authority under 50 USC 4555(a).

Given the large number of potential sources of information, persons who may have been involved in a violation should carefully consider the potential benefits of self-disclosure.

Conclusion

Issuance of the new Enforcement and Penalty Guidelines likely is just the first step towards a ramp up of CFIUC enforcement engagement and activity in the coming months.

[View source.]